New iOS vulnerability could see legit apps replaced with malware

A new security vulnerability within Apple’s iOS software could allow for apps containing malware to be loaded over the top of legitimate apps, according to new research.

Security researchers at FireEye have identified the ‘Masque Attack’ as a way for attackers to sideload apps onto iPhones from links to items outside of the App Store.

The vulnerability, according to the research, comes through Apple’s enterprise/ad-hoc provisioning system, which enables iPhone or iPad owners to install applications from links within texts or emails instead of going through the official portal.

The iOS provisioning profiles are used to allow developers to share beta versions with users or by companies to distribute applications to their employees. Users must have a provisioning profile installed on their phone in order to be vulnerable to the attack.

As explained in the video below, users may receive an SMS asking them to download a ‘New Flappy Bird’ version, which asks them to follow a link in order to download the app.

Instead of giving users a new version of Flappy Bird, the link could secretly dub over an app like the official Gmail app. The researchers claim the victim would be none the wiser.

The flaw is down to the fact that Apple doesn’t “enforce matching certificates for apps with the same bundle identifier” according to FireEye.

“In one of our experiments, we used an in-house app with a bundle identifier ‘com.google.Gmail’ with a title ‘New Flappy Bird’. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone,” the post read.

If the malware replaces a legitimate app, cyber-criminals could potentially steal log-in credentials from the app’s local data. This would be especially damaging with banking apps.

“Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly,’ FireEye added.

“We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves.”

Those mitigation measures involve iOS users checking their settings to see if they have any provisioning profiles installed on their device by going to Settings > General > Profiles, although iOS 8 does not show the provisioning profiles.

Why we’re different

Unlike other sites, we thoroughly review everything we recommend. We use industry standard tests to evaluate products in order to assess them properly. We’ll always tell you what we find.
Tell us what you think - send your emails to the Editor.